2017 Money Laundering Regulations – risk assessment is the key
 In Industry Insights
0

Monday 26 June saw the 2017 Money Laundering Regulations – or, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, to give them their full title, come into force. You had a whole weekend to review the final version since they were published last Friday.

Of all the noise that surrounds these changes in important regulation, as is so often the case, the practical implications tend to get overlooked.

Practitioners want to know “what do we have to do differently, if anything?”.

This is our attempt at a plain English overview for lawyers. You should look elsewhere for a full run-down of the Money Laundering Regulations. The Joint Money Laundering Steering Group has just published revised guidance, and the Law Society is in the process of preparing its new Practice Note.

Okay, there is good news and bad news.

The GOOD news about the 2017 Money Laundering Regulations

If you are already working in the ‘regulated sector’ (i.e. transactional, corporate, probate, tax advice etc.), you are probably already doing most of what you need to do under the 2017 Money Laundering Regulations.

Undertaking Customer due diligence (CDD) on all matters? Check. AML policy and procedure? Check. Keeping CDD records? Check. Training staff? Check. Appointing MLRO? Check, check, check.

Heck, there is some even better news. If you don’t do anything that’s caught by the 2017 Money Laundering Regulations then none of this applies to you. To qualify that slightly, the Proceeds of Crime Act and Terrorism Act always apply i.e. not get involved in ML, report suspicions, not tip off etc. – but the administrative requirements of the Money Laundering Regulations may not.

Wait, what? The Money Laundering Regulations might not apply to us?

Let’s say you are a purely litigation practice, or employment, for example. Chances are you could ignore the Money Laundering Regulations altogether, whilst chuckling with schadenfreude at the rest of the profession. You simply do not do the type of transactional work that is attractive to money launderers.

Now, there are plenty of good reasons why a firm that is not bound by the 2017 Money Laundering Regulations would choose to follow them anyway. It’s good practice for a start – full CDD and interrogation as to source of funds and beneficial owners will put you in the best position possible to spot financial crime and report where necessary. That’s called self-preservation.

Then there’s the issue of firms that are partly covered by the Money Laundering Regulations (e.g. conveyancing) and partly not (e.g. personal injury). Does it really make sense to have two different approaches to money laundering compliance? There has to be some merit in a consistent approach across the board.

The BAD news

You will have to do something to be compliant with the 2017 Money Laundering Regulations. Inaction is not an option.

We start with the risk assessment requirement. As the title of this post suggests, we believe this is the single most important change in the AML regime.

For these purposes, risk assessment has two elements: firm wide and matter-specific. The former is a new requirement, and should be a priority. The latter you should already be doing.

What is a firm wide risk assessment?

Glad you asked! Quite simply, it is evidence that you as a firm have attempted to identify and codify where your weak points are. If criminals were going to target you for money laundering, where would you be vulnerable?

This risk assessment document becomes the cornerstone of your fight against financial crime. It should take central stage when you review your AML policy and procedures, content of your training sessions, etc.

Oh, by the way. You may one day be asked to produce your risk assessment to the authorities so it’s important for that reason alone. It’s potentially an offence to ignore the Money Laundering Regulations.

How to conduct a firm wide risk assessment

  1. Set aside some time with the senior people in you firm for a brain storming session. Think about the risks the firm faces in the following categories: your client profiles; your practice areas and types of transactions; geography; source of funds; and your internal systems and processes. Do this honestly and diligently. The temptation is to gloss over difficult issues – don’t! Get expert help if you need to, for example a money laundering audit.
  2. Send out a memo to your fee earners asking them to do a similar exercise. A survey might work well. You may find that there are issues and scenarios that you did not consider in your initial brainstorming session.
  3. Make one person (probably the MLRO) responsible for drafting up the risk assessment document. Get it signed off at board level. Commit to it.
  4. Communicate the risk assessment to everyone in the firm. It’s of absolutely no use – and a waste of everyone’s time – if you stick it in a lever arch file gathering dust.
  5. Review the risk assessment periodically – probably annually or whenever there is a material change in the law or your circumstances, for example you enter a new market in a high risk country.

Matter-specific risk assessments

Next up is the matter-specific risk assessment, which takes place at the beginning of a new matter, or when you take on a new client. As we say, you should already be doing this as part of the outgoing AML regime.

There is often a pro forma created upon file opening. You will be used to having to consider the client, the type of matter, source of funds and so on, then completing the form to say whether you think this is a high risk matter or not. Your assessment of risk is fundamental because it also dictates the type of CDD required (Regular, Enhanced or Simplified).

That’s been with us for 10 years, so shouldn’t come as a surprise. (Some practices still pay lip service to this process, but that’s a different story).

There are a couple of important changes to the matter-specific risk assessment to be aware of. You may therefore need to update your forms or workflows if using a case management system:

  1. PEPs can be UK-based. Under the old regime you could ignore UK-based ’politically-exposed persons’. No more. Apparently we Brits are just as likely to be exposed to the dodgy dealings associated with power as everyone else. How do you know if someone is a PEP? Do you make any enquiries of the client? Do you run ID checks against the AML databases (with the cost implications)? This will need some thinking about. You certainly can’t rely on Mr Jones volunteering that oh-by-the-way his wife happens to be a high-ranking diplomat. What’s the relevance of PEPs? They are automatically high risk and you have to go the extra mile on CDD.
  2. There are no longer any categories of clients that automatically qualify for Simplified Due Diligence. The hey-look-they-are-on-the-FCA-register-so-must-be-okay-right approach is gone. You may well consider that a financial institution, listed company or accountancy client (for example) poses a low risk, but the point is you have to make that assessment, rather than rely on an exemption.
  3. Don’t forget you have to document your risk assessment. Our motto with most things is that ‘if it isn’t recorded, it didn’t happen’. That record could be in a file note, pro forma or memo to MLRO, for example. It’s probably not good enough to simply tick a box – there should be some evidence of why you came to the conclusion that you did.

Other NEW things you must do

All of these are important but not difficult:

  1. Appoint a board-level person responsible for AML compliance. Your MLRO is almost certainly already at that level – if not, consider changing things up.
  2. Review your AML policies and procedures. A dull job, but necessary. Now it’s likely that you will not need to do a full re-write, unless your existing policy was written pre-2007 (in which case, naughty you). You may need to work in the updates about domestic PEPs and CDD. There are, or will be, plenty of precedents on the market if you want a sense-check, or are desperate to start from scratch.
  3. Communicate your changes to your staff. Train them in any changes to procedure, such as new risk assessment forms. Use this time as an opportunity to run your general AML refresher. Make the Law Society AML Practice Note required reading (when it surfaces).

Sign up to our fortnightly newsletter to receive more updates like this.

Recent Posts

Start typing and press Enter to search

Get your FREE COLP Insider email delivered fortnightly

We’ll never share your email address and you can opt out at any time, we promise

 

I do not want to subscribe

The GDPR in a nutshellIndustry Insights
All you need to know about accountants’ reports!Industry Insights